[d-z-m]

Yes, however there's a big difference between Cloudflare and an arbitrary MITM. If you think Cloudflare is mangling traffic in a malicious way you would need a shred of evidence to substantiate that claim.

I would also push back that "most websites" use a 3rd party TLS terminating CDN/proxy layer in front of the actual webserver.

[ranger_danger]

> If you think Cloudflare is mangling traffic

I'm more concerned with the data they receive being leaked or sold.

And by most websites I guess I meant large ones that people frequent every day, because these days it's almost impossible to have any sort of useful DDoS protection without using such a service.

[d-z-m]

> I'm more concerned with the data they receive being leaked or sold.

But that's not what we're talking about here. We were talking about a MITM attack on key/tarfile distribution in the context of verifying file integrity.